Document
-
Upload
jhonhackodige -
Category
Documents
-
view
190 -
download
6
Transcript of Document
Audit Report
Grupo Canton
Audited on December 02 2011
Reported on December 02 2011
Page 1
Audit Report
1. Executive SummaryThis report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of
your network. Access to this information by unauthorized personnel may allow them to compromise your network.
Site Name Start Time End Time Total Time Status
Grupo Canton December 02, 2011
13:06, COT
December 02, 2011
13:16, COT
10 minutes Success
There is not enough historical data to display overall asset trend.
The audit was performed on one system which was found to be active and was scanned.
There were 56 vulnerabilities found during this scan. Of these, 8 were critical vulnerabilities. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 42
vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.
There were 6 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting
subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
There were 3 occurrences of the certificate-common-name-mismatch, tls-server-cert-expired and ssl-self-signed-certificate
vulnerabilities, making them the most common vulnerabilities. There were 72 vulnerabilities in the Web category, making it the most
common vulnerability category.
Page 2
Audit Report
The http-apache-apr_palloc-heap-overflow vulnerability poses the highest risk to the organization with a risk score of 450. Vulnerability
risk scores are calculated by looking at the likelihood of attack and impact, based upon CVSS metrics. The impact and likelihood are
then multiplied by the number of instances of the vulnerability to come up with the final risk score.
One operating system was identified during this scan.
There were 5 services found to be running during this scan.
The HTTP, HTTPS, MySQL, SMTP and SSH services were found on 1 systems, making them the most common services. The HTTPS
and HTTP services were found to have the most vulnerabilities during this scan, each with 37 vulnerabilities.
•
•
Page 3
Audit Report
2. Discovered Systems
Node Operating System Risk Aliases
174.143.96.250 Red Hat Linux 33,173 grupocanton.com
228605-web1.www.tabascohoy.com
Page 4
Audit Report
3. Discovered and Potential Vulnerabilities
3.1. Critical Vulnerabilities
3.1.1. Apache httpd APR apr_palloc heap overflow (CVE-2009-2412) (http-apache-apr_palloc-heap-overflow)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if a non-Apache application can be passed unsanitized user-
provided sizes to the apr_palloc() function. Review your Web server configuration for validation.
A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled
size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered
through some other application which uses apr_palloc() in a vulnerable way.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 35949
CVE CVE-2009-2412
OSVDB 56765
OSVDB 56766
OVAL OVAL8394
OVAL OVAL9958
SECUNIA 36138
SECUNIA 36140
SECUNIA 36166
SECUNIA 36233
SECUNIA 37152
SECUNIA 37221
SUSE SUSE-SA:2009:050
Page 5
Audit Report
Source Reference
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.13.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.1.2. MySQL dispatch_command() Multiple Format String Vulnerabilities (mysql-dispatch_command-multiple-
format-string)
Description:
Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through
5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via
format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
APPLE APPLE-SA-2010-03-29
BID 35609
CVE CVE-2009-2446
OSVDB 55734
OVAL OVAL11857
REDHAT RHSA-2010:0110
SECUNIA 35767
SECUNIA 38517
XF mysql-dispatchcommand-format-string(51614)
Vulnerability Solution:MySQL >= 5.0.0 and < 5.0.84
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
Page 6
Audit Report
3.1.3. Apache httpd mod_proxy_ftp FTP command injection (CVE-2009-3095) (apache-httpd-2_2_x-
mod_proxy_ftp-ftp-command-injection-cve-2009-3095)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server
configuration for validation.
A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary
commands to the FTP server.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2010-03-29
CVE CVE-2009-3095
DEBIAN DSA-1934
OVAL OVAL8662
OVAL OVAL9363
SECUNIA 37152
SUSE SUSE-SA:2009:050
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.14.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.1.4. Apache httpd Range header remote DoS (CVE-2011-3192) (apache-httpd-cve-2011-3192)
•
Page 7
Audit Report
Description:
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause
httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be
used in a denial of service attack.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:443 Server responded with partial content to a request with malicious Range headers
References:
Source Reference
APPLE APPLE-SA-2011-10-12
BID 49303
CERT-VN 405811
CVE CVE-2011-3192
OSVDB 74721
REDHAT RHSA-2011:1245
REDHAT RHSA-2011:1294
REDHAT RHSA-2011:1300
REDHAT RHSA-2011:1329
REDHAT RHSA-2011:1330
REDHAT RHSA-2011:1369
SECUNIA 45606
SECUNIA 45937
SECUNIA 46000
SECUNIA 46125
SECUNIA 46126
URL http://httpd.apache.org/security/vulnerabilities_20.html
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-http-byterange-dos(69396)
Vulnerability Solution:
Apache >= 2.0 and < 2.1
Upgrade to Apache version 2.0.65
Download and apply the upgrade from: http://httpd.apache.org/download.cgi
Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for
•
Page 8
Audit Report
more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built
packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they
are available for your operating system.
Apache >= 2.2 and < 2.3
Upgrade to Apache version 2.2.20
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.20.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.1.5. Apache httpd APR-util XML DoS (CVE-2009-1955) (http-apache-apr-util-xml-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker could convince Apache to consume a specially crafted
XML document. Review your Web server configuration for validation.
A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote
attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML
decoding engine.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 35253
CVE CVE-2009-1955
DEBIAN DSA-1812
OVAL OVAL10270
OVAL OVAL12473
REDHAT RHSA-2009:1107
REDHAT RHSA-2009:1108
SECUNIA 34724
Page 9
Audit Report
Source Reference
SECUNIA 35284
SECUNIA 35360
SECUNIA 35395
SECUNIA 35444
SECUNIA 35487
SECUNIA 35565
SECUNIA 35710
SECUNIA 35797
SECUNIA 35843
SECUNIA 36473
SECUNIA 37221
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.1.6. PHP Multiple Vulnerabilities Fixed in version 5.3.1 (http-php-multiple-vulns-5-3-1)
Description:
Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent
possible DOS via temporary file exhaustion.
Added missing sanity checks around exif processing.
Fixed a safe_mode bypass in tempnam().
Fixed a open_basedir bypass in posix_mkfifo().
Fixed bug #50063 (safe_mode_include_dir fails).
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
Page 10
Audit Report
References:
Source Reference
APPLE APPLE-SA-2009-11-09
APPLE APPLE-SA-2010-03-29
CVE CVE-2009-3292
CVE CVE-2009-3557
CVE CVE-2009-3558
CVE CVE-2009-3559
CVE CVE-2009-4017
DEBIAN DSA-1940
OSVDB 58186
OVAL OVAL10483
OVAL OVAL6667
OVAL OVAL7396
OVAL OVAL7652
OVAL OVAL9982
SECUNIA 36791
SECUNIA 37412
SECUNIA 37482
SECUNIA 37821
SECUNIA 40262
SECUNIA 41480
SECUNIA 41490
URL http://www.php.net/ChangeLog-5.php#5.3.1
URL http://www.php.net/releases/5_3_1.php
XF php-multipart-formdata-dos(54455)
Vulnerability Solution:Download and apply the upgrade from: http://www.php.net/get/php-5.3.1.tar.gz/from/a/mirror
Upgrade to PHP v5.3.1 (released on November 19th, 2009).
3.1.7. MySQL yaSSL CertDecoder::GetName Multiple Buffer Overflows (mysql-yassl-certdecodergetname-
multiple-bofs)
Description:
•
•
Page 11
Audit Report
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used
in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote
attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL
connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the
vd_mysql5 module in VulnDisco Pack Professional 8.11.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
BID 37640
BID 37943
BID 37974
CVE CVE-2009-4484
DEBIAN DSA-1997
OSVDB 61956
SECUNIA 37493
SECUNIA 38344
SECUNIA 38364
SECUNIA 38517
SECUNIA 38573
URL http://bugs.mysql.com/bug.php?id=50227
URL http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html
URL http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html
XF mysql-unspecified-bo(55416)
Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.90
Upgrade to MySQL v5.0.90
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
MySQL >= 5.1.0 and < 5.1.43
Upgrade to MySQL v5.1.43
Page 12
Audit Report
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.1.8. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)
Description:
Before version 4.7, OpenSSH did not properly handle when an untrusted cookie could not be created. In its place, it uses a trusted X11
cookie. This allows attackers to violate intended policy and gain user privileges by causing an X client to be treated as trusted.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:22 Running vulnerable SSH service: OpenSSH 4.3.
References:
Source Reference
APPLE APPLE-SA-2008-03-18
BID 25628
CVE CVE-2007-4752
DEBIAN DSA-1576
OVAL OVAL10809
OVAL OVAL5599
REDHAT RHSA-2008:0855
SECUNIA 27399
SECUNIA 29420
SECUNIA 30249
SECUNIA 31575
SECUNIA 32241
XF openssh-x11cookie-privilege-escalation(36637)
Vulnerability Solution:Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz
Version 4.7 of OpenSSH was released on September 4th, 2007.
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
Page 13
Audit Report
3.2. Severe Vulnerabilities
3.2.1. Apache httpd mod_deflate DoS (CVE-2009-1891) (http-apache-mod_deflate-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_deflate. Review your Web server
configuration for validation.
A denial of service flaw was found in the mod_deflate module. This module continued to compress large files until compression was
complete, even if the network connection that requested the content was closed before compression completed. This would cause
mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
CVE CVE-2009-1891
DEBIAN DSA-1834
OSVDB 55782
OVAL OVAL12361
OVAL OVAL8632
OVAL OVAL9248
REDHAT RHSA-2009:1148
REDHAT RHSA-2009:1156
SECUNIA 35721
SECUNIA 35781
SECUNIA 35793
SECUNIA 35865
SECUNIA 37152
SECUNIA 37221
SUSE SUSE-SA:2009:050
Page 14
Audit Report
Source Reference
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.2. Apache httpd mod_proxy reverse proxy DoS (CVE-2009-1890) (http-apache-mod_proxy-reverse-proxy-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server
configuration for validation.
A denial of service flaw was found in the mod_proxy module when it was used as a reverse proxy. A remote attacker could use this
flaw to force a proxy process to consume large amounts of CPU time.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 35565
CVE CVE-2009-1890
DEBIAN DSA-1834
OSVDB 55553
OVAL OVAL12330
OVAL OVAL8616
OVAL OVAL9403
REDHAT RHSA-2009:1148
REDHAT RHSA-2009:1156
SECUNIA 35691
Page 15
Audit Report
Source Reference
SECUNIA 35721
SECUNIA 35793
SECUNIA 35865
SECUNIA 37152
SECUNIA 37221
SUSE SUSE-SA:2009:050
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.3. MySQL Directory Traversal and Arbitrary Table Access Vulnerability (mysql-directory-traversal-and-
arbitrary-table-access)
Description:
Directory traversal vulnerability in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass
intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot)
in a table name.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
APPLE APPLE-SA-2010-11-10
CVE CVE-2010-1848
OVAL OVAL10258
OVAL OVAL7210
REDHAT RHSA-2010:0442
REDHAT RHSA-2010:0824
URL http://bugs.mysql.com/bug.php?id=53371
•
•
Page 16
Audit Report
Source Reference
URL http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
URL http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.91
Upgrade to MySQL v5.0.91
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
MySQL >= 5.1.0 and < 5.1.47
Upgrade to MySQL v5.1.47
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.2.4. MySQL vio_verify_callback() Zero-Depth X.509 Certificate Vulnerability (mysql-vio_verify_callback-zero-
depth-x-509-certificate)
Description:
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 accepts a value of zero for
the depth of X.509 certificates when OpenSSL is used. This allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL
servers via a crafted certificate.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
CVE CVE-2009-4028
OVAL OVAL10940
OVAL OVAL8510
REDHAT RHSA-2010:0109
URL http://bugs.mysql.com/bug.php?id=47320
URL http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
URL http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
•
•
Page 17
Audit Report
Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.88
Upgrade to MySQL v5.0.88
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
MySQL >= 5.1.0 and < 5.1.41
Upgrade to MySQL v5.1.41
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.2.5. OpenSSH X11 Forwarding Information Disclosure Vulnerability (ssh-openssh-x11-fowarding-info-
disclosure)
Description:
Certain versions of OpenSSH do not properly bind TCP ports on the local IPv6 interface if the required IPv4 ports are in use. This
could allow a local attacker to hijack a forwarded X11 session via opening TCP port 6010 (IPv4).
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:22 Running vulnerable SSH service: OpenSSH 4.3.
References:
Source Reference
APPLE APPLE-SA-2008-09-15
BID 28444
CERT TA08-260A
CVE CVE-2008-1483
DEBIAN DSA-1576
NETBSD NetBSD-SA2008-005
OVAL OVAL6085
SECUNIA 29522
SECUNIA 29537
SECUNIA 29554
SECUNIA 29626
Page 18
Audit Report
Source Reference
SECUNIA 29676
SECUNIA 29683
SECUNIA 29686
SECUNIA 29721
SECUNIA 29735
SECUNIA 29873
SECUNIA 29939
SECUNIA 30086
SECUNIA 30230
SECUNIA 30249
SECUNIA 30347
SECUNIA 30361
SECUNIA 31531
SECUNIA 31882
URL http://www.openssh.org/txt/release-5.0
XF openssh-sshd-session-hijacking(41438)
Vulnerability Solution:Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz
Version 5.0 of OpenSSH was released on April 3rd, 2008.
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
3.2.6. Apache httpd APR-util off-by-one overflow (CVE-2009-1956) (http-apache-apr-util-off-by-one-overflow)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can provide a specially crafted string to a function that
handles a variable list of arguments on big-endian platforms. Review your Web server configuration for validation.
An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An
attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian
platforms, potentially lead to the disclosure of sensitive information or a denial of service.
Affected Nodes:
Affected Nodes: Additional Information:
Page 19
Audit Report
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 35251
CVE CVE-2009-1956
OVAL OVAL11567
OVAL OVAL12237
REDHAT RHSA-2009:1107
REDHAT RHSA-2009:1108
SECUNIA 34724
SECUNIA 35284
SECUNIA 35395
SECUNIA 35487
SECUNIA 35565
SECUNIA 35710
SECUNIA 35797
SECUNIA 35843
SECUNIA 37221
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.7. PHP Multiple Vulnerabilities Fixed in version 5.3.2 (http-php-multiple-vulns-5-3-2)
Description:
Improved LCG entropy.
Fixed safe_mode validation inside tempnam() when the directory path does not end with a /.
Page 20
Audit Report
Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
References:
Source Reference
URL http://www.php.net/releases/5_3_2.php
URL http://www.php.net/ChangeLog-5.php#5.3.2
Vulnerability Solution:Download and apply the upgrade from: http://www.php.net/get/php-5.3.2.tar.gz/from/a/mirror
Upgrade to PHP v5.3.2 (released on March 4th, 2010).
3.2.8. MySQL COM_FIELD_LIST Command Buffer Overflow Vulnerability (mysql-com_field_list-command-bof)
Description:
A buffer overflow in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a
COM_FIELD_LIST command with a long table name.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
APPLE APPLE-SA-2010-11-10
CVE CVE-2010-1850
OVAL OVAL10846
OVAL OVAL6693
REDHAT RHSA-2010:0442
URL http://bugs.mysql.com/bug.php?id=53237
URL http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
URL http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
•
•
Page 21
Audit Report
Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.91
Upgrade to MySQL v5.0.91
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
MySQL >= 5.1.0 and < 5.1.47
Upgrade to MySQL v5.1.47
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.2.9. Apache httpd expat DoS (CVE-2009-3560) (apache-httpd-2_2_x-cve-2009-3560)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker is able to get Apache to parse an untrusted XML
document. Review your Web server configuration for validation.
A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML
document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the
worker MPM.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
BID 37203
CVE CVE-2009-3560
DEBIAN DSA-1953
OVAL OVAL10613
OVAL OVAL12942
OVAL OVAL6883
REDHAT RHSA-2011:0896
SECUNIA 37537
Page 22
Audit Report
Source Reference
SECUNIA 38231
SECUNIA 38794
SECUNIA 38832
SECUNIA 38834
SECUNIA 39478
SECUNIA 41701
SECUNIA 43300
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.17.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.10. Apache httpd expat DoS (CVE-2009-3720) (apache-httpd-2_2_x-cve-2009-3720)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker is able to get Apache to parse an untrusted XML
document. Review your Web server configuration for validation.
A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML
document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the
worker MPM.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
CVE CVE-2009-3720
OVAL OVAL11019
OVAL OVAL12719
OVAL OVAL7112
Page 23
Audit Report
Source Reference
REDHAT RHSA-2010:0002
REDHAT RHSA-2011:0896
SECUNIA 37324
SECUNIA 37537
SECUNIA 37925
SECUNIA 38050
SECUNIA 38231
SECUNIA 38794
SECUNIA 38832
SECUNIA 38834
SECUNIA 39478
SECUNIA 41701
SECUNIA 42326
SECUNIA 42338
SECUNIA 43300
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.17.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.11. Apache httpd apr_bridage_split_line DoS (CVE-2010-1623) (apache-httpd-2_2_x-cve-2010-1623)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if if Apache processes non-SSL requests. Review your Web server
configuration for validation.
A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote
attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading
to a denial of service.
Affected Nodes:
Affected Nodes: Additional Information:
Page 24
Audit Report
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
BID 43673
CVE CVE-2010-1623
OVAL OVAL12800
REDHAT RHSA-2010:0950
REDHAT RHSA-2011:0896
REDHAT RHSA-2011:0897
SECUNIA 41701
SECUNIA 42015
SECUNIA 42361
SECUNIA 42367
SECUNIA 42403
SECUNIA 42537
SECUNIA 43211
SECUNIA 43285
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.17.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.12. Apache httpd mod_cache and mod_dav DoS (CVE-2010-1452) (apache-httpd-2_2_x-mod_cache-and-
mod_dav-dos-cve-2010-1452)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_cache or mod_dav. Review your Web
server configuration for validation.
A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted
request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is
further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the
Page 25
Audit Report
uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.Acknowledgements: This issue was
reported by Mark Drayton.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2011-03-21
CVE CVE-2010-1452
OVAL OVAL11683
OVAL OVAL12341
REDHAT RHSA-2010:0659
REDHAT RHSA-2011:0896
REDHAT RHSA-2011:0897
SECUNIA 42367
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.16.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.13. Apache httpd mod_proxy crash (CVE-2007-3847) (apache-httpd-2_2_x-mod_proxy-crash-cve-2007-3847)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server
configuration for validation.
A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker
could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a
forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the
proxy. This could lead to a denial of service if using a threaded Multi-Processing Module.
Page 26
Audit Report
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-03-18
APPLE APPLE-SA-2008-05-28
BID 25489
CERT TA08-150A
CVE CVE-2007-3847
OVAL OVAL10525
REDHAT RHSA-2007:0746
REDHAT RHSA-2007:0747
REDHAT RHSA-2007:0911
REDHAT RHSA-2008:0005
SECUNIA 26636
SECUNIA 26722
SECUNIA 26790
SECUNIA 26842
SECUNIA 26952
SECUNIA 26993
SECUNIA 27209
SECUNIA 27563
SECUNIA 27593
SECUNIA 27732
SECUNIA 27882
SECUNIA 27971
SECUNIA 28467
SECUNIA 28606
SECUNIA 28749
SECUNIA 28922
SECUNIA 29420
Page 27
Audit Report
Source Reference
SECUNIA 30430
SUSE SUSE-SA:2007:061
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.14. Apache httpd mod_proxy_http DoS (CVE-2008-2364) (apache-httpd-2_2_x-mod_proxy_http-dos-cve-2008-
2364)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_http. Review your Web server
configuration for validation.
A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http. A remote attacker
could cause a denial of service or high memory usage.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-10-09
BID 29653
BID 31681
CVE CVE-2008-2364
OVAL OVAL11713
OVAL OVAL6084
OVAL OVAL9577
REDHAT RHSA-2008:0966
Page 28
Audit Report
Source Reference
REDHAT RHSA-2008:0967
SECUNIA 30621
SECUNIA 31026
SECUNIA 31404
SECUNIA 31416
SECUNIA 31651
SECUNIA 31904
SECUNIA 32222
SECUNIA 32685
SECUNIA 32838
SECUNIA 33156
SECUNIA 33797
SECUNIA 34219
SECUNIA 34259
SECUNIA 34418
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modproxy-module-dos(42987)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.9.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.15. Apache httpd Signals to arbitrary processes (CVE-2007-3304) (apache-httpd-2_2_x-signals-to-arbitrary-
processes-cve-2007-3304)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if a local attacker can run scripts on the HTTP server. Review your
Web server configuration for validation.
The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the
ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could
lead to a denial of service.
Page 29
Audit Report
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
BID 24215
CVE CVE-2007-3304
OVAL OVAL11589
REDHAT RHSA-2007:0532
REDHAT RHSA-2007:0556
REDHAT RHSA-2007:0557
REDHAT RHSA-2007:0662
REDHAT RHSA-2008:0261
SECUNIA 25827
SECUNIA 25830
SECUNIA 25920
SECUNIA 26211
SECUNIA 26273
SECUNIA 26443
SECUNIA 26508
SECUNIA 26611
SECUNIA 26759
SECUNIA 26790
SECUNIA 26822
SECUNIA 26842
SECUNIA 26993
SECUNIA 27121
SECUNIA 27209
SECUNIA 27563
SECUNIA 27732
SECUNIA 28212
SECUNIA 28224
Page 30
Audit Report
Source Reference
SECUNIA 28606
SGI 20070701-01-P
SUSE SUSE-SA:2007:061
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-child-process-dos(35095)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.16. Apache httpd mod_proxy reverse proxy exposure (CVE-2011-3368) (apache-httpd-cve-2011-3368)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server
configuration for validation.
An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or
ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive
information from internal web servers not directly accessible to attacker.Acknowledgements: This issue was reported by Context
Information Security Ltd
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
BID 49957
CVE CVE-2011-3368
REDHAT RHSA-2011:1391
REDHAT RHSA-2011:1392
SECUNIA 46288
SECUNIA 46414
•
•
Page 31
Audit Report
Source Reference
URL http://httpd.apache.org/security/vulnerabilities_20.html
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modproxy-information-disclosure(70336)
Vulnerability Solution:
Apache >= 2.0 and < 2.1
Upgrade to Apache version 2.0.65
Download and apply the upgrade from: http://httpd.apache.org/download.cgi
Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for
more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built
packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they
are available for your operating system.
Apache >= 2.2 and < 2.3
Upgrade to Apache version 2.2.22
Download and apply the upgrade from: http://httpd.apache.org/download.cgi
Apache HTTP server version 2.2.22 is currently not available for download. Please check the Apache HTTP server download page for
more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built
packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they
are available for your operating system.
3.2.17. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
Description:
The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.
Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in
the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a
certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by
"https://www.example.com/", the CN should be "www.example.com".
In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then
launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN,
that should match the name of the entity (hostname).
A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being
conducted.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:25 The subject common name found in the X.509 certificate ('CN=plesk') does not seem to
Page 32
Audit Report
Affected Nodes: Additional Information:
match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name
'174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com'
174.143.96.250:443 The subject common name found in the X.509 certificate ('CN=plesk') does not seem to
match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name
'174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com'
174.143.96.250:587 The subject common name found in the X.509 certificate ('CN=plesk') does not seem to
match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name
'174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com'
References:None
Vulnerability Solution: The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate
(e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the
client and server.
3.2.18. Apache httpd AllowOverride Options handling bypass (CVE-2009-1195) (http-apache-allowoveride-
options-handling-bypass)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if the AllowOverride directive with certin Options are used. Review
your Web server configuration for validation.
A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive
with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as
intended.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 35115
CVE CVE-2009-1195
DEBIAN DSA-1816
Page 33
Audit Report
Source Reference
OSVDB 54733
OVAL OVAL11094
OVAL OVAL12377
OVAL OVAL8704
REDHAT RHSA-2009:1075
REDHAT RHSA-2009:1156
SECUNIA 35261
SECUNIA 35264
SECUNIA 35395
SECUNIA 35453
SECUNIA 35721
SECUNIA 37152
SUSE SUSE-SA:2009:050
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-allowoverrides-security-bypass(50808)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.19. Apache httpd mod_cache proxy DoS (CVE-2007-1863) (http-apache-mod_cache-proxy-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_cache. Review your Web server
configuration for validation.
A bug was found in the mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted
request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
Page 34
Audit Report
Affected Nodes: Additional Information:
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-05-28
BID 24649
CERT TA08-150A
CVE CVE-2007-1863
OVAL OVAL9824
REDHAT RHSA-2007:0533
REDHAT RHSA-2007:0534
REDHAT RHSA-2007:0556
REDHAT RHSA-2007:0557
SECUNIA 25830
SECUNIA 25873
SECUNIA 25920
SECUNIA 26273
SECUNIA 26443
SECUNIA 26508
SECUNIA 26822
SECUNIA 26842
SECUNIA 26993
SECUNIA 27037
SECUNIA 27563
SECUNIA 27732
SECUNIA 28606
SECUNIA 30430
SUSE SUSE-SA:2007:061
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
Page 35
Audit Report
3.2.20. Apache httpd mod_proxy_ajp DoS (CVE-2010-0408) (http-apache-mod_proxy_ajp-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ajp. Review your Web server
configuration for validation.
mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state
until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of
service.Acknowledgements: We would like to thank Niku Toivola of Sulake Corporation for reporting and proposing a patch fix for this
issue.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2010-11-10
BID 38491
CVE CVE-2010-0408
DEBIAN DSA-2035
OVAL OVAL8619
OVAL OVAL9935
REDHAT RHSA-2010:0168
SECUNIA 39100
SECUNIA 39501
SECUNIA 39628
SECUNIA 39632
SECUNIA 39656
SECUNIA 40096
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
•
•
Page 36
Audit Report
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.21. MySQL my_net_skip_rest Packet Length Denial of Service Vulnerability (mysql-my_net_skip_rest-packet-
length-dos)
Description:
The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a
denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
APPLE APPLE-SA-2010-11-10
CVE CVE-2010-1849
OVAL OVAL7328
URL http://bugs.mysql.com/bug.php?id=50974
URL http://bugs.mysql.com/bug.php?id=53371
URL http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.91
Upgrade to MySQL v5.0.91
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
MySQL >= 5.1.0 and < 5.1.47
Upgrade to MySQL v5.1.47
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
•
•
Page 37
Audit Report
3.2.22. PHP PHP hangs on numeric value 2.2250738585072011e-308 (php-cve-2010-4645)
Description:
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-
dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not
properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
References:
Source Reference
BID 45668
CVE CVE-2010-4645
REDHAT RHSA-2011:0195
REDHAT RHSA-2011:0196
SECUNIA 42812
SECUNIA 42843
SECUNIA 43051
SECUNIA 43189
XF php-zendstrtod-dos(64470)
Vulnerability Solution:
Upgrade to PHP v5.2.17
Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.17.tar.gz
Upgrade to PHP v5.2.17.
Upgrade to PHP v5.3.5
Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.5.tar.gz
Upgrade to PHP v5.3.5.
3.2.23. PHP Fixed possible flaw in open_basedir (php-fixed-possible-flaw-in-open-basedir)
Description:
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to
the length of a filename.
•
•
Page 38
Audit Report
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2011-03-21
BID 44723
CVE CVE-2010-3436
SECUNIA 42729
SECUNIA 42812
Vulnerability Solution:
Upgrade to PHP v5.2.15
Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.15.tar.gz
Upgrade to PHP v5.2.15.
Upgrade to PHP v5.3.4
Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.4.tar.gz
Upgrade to PHP v5.3.4.
3.2.24. PHP possible double free in imap extension (php-possible-double-free-in-imap-extension)
Description:
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3
before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified
vectors.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2011-03-21
•
•
•
•
•
Page 39
Audit Report
Source Reference
BID 44980
CVE CVE-2010-4150
OVAL OVAL12489
SECUNIA 42729
XF php-phpimapc-dos(63390)
Vulnerability Solution:
Upgrade to PHP v5.2.15
Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.15.tar.gz
Upgrade to PHP v5.2.15.
Upgrade to PHP v5.3.4
Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.4.tar.gz
Upgrade to PHP v5.3.4.
3.2.25. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)
Description:
The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle
attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak:
So called "null" ciphers, because they do not encrypt data.
Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the
cipher suite.
Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:443 grupocanton.com/174.143.96.250:443 negotiated the
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA cipher suite
References:None
Vulnerability Solution: Configure the server to disable support for weak ciphers.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For other servers, refer to the respective vendor documentation to disable the weak ciphers
•
•
•
•
•
Page 40
Audit Report
3.2.26. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)
Description:
Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the
Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed
between a client and the server, including the following weaknesses:
No protection from against man-in-the-middle attacks during the handshake.
Weak MAC construction and MAC relying solely on the MD5 hash function.
Exportable cipher suites unnecessarily weaken the MACs
Same cryptographic keys used for message authentication and encryption.
Vulnerable to truncation attacks by forged TCP FIN packets
SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard,
which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol
meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment
Card Industry) Data Security Standard.
Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also
supported.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:443 SSLv2 is supported
References:
Source Reference
URL http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm
URL https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf
Vulnerability Solution: Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft IIS web servers, see Microsoft Knowledgebase article Q187498 for instructions on disabling SSL 2.0.
For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
The ! (exclamation point) before SSLv2 is what disables this protocol.
3.2.27. X.509 Server Certificate Is Invalid/Expired (tls-server-cert-expired)
Page 41
Audit Report
Description:
The TLS/SSL server's X.509 certificate either contains a start date in the future or is expired. Please refer to the proof in the section
below for more details.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:25 The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT
174.143.96.250:443 The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT
174.143.96.250:587 The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT
References:None
Vulnerability Solution: Obtain a new certificate and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's
requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a
Certificate Authority (CA) for processing. Please ensure that the start date and the end date on the new certificate are valid.
Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external
Certificate Authority.
After you have received a new certificate file from the Certificate Authority, you will have to install it on the TLS/SSL server. The exact
instructions for installing a certificate differ for each product. Follow their documentation.
3.2.28. Apache httpd mod_imagemap XSS (CVE-2007-5000) (apache-httpd-2_2_x-mod_imagemap-xss-cve-2007-
5000)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_imagemap. Review your Web server
configuration for validation.
The affected asset is vulnerable to this Apache vulnerability ONLY if an imagemap file is publicly available. Review your Web server
configuration for validation.
A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly
available, a cross-site scripting attack is possible.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
Page 42
Audit Report
References:
Source Reference
APPLE APPLE-SA-2008-03-18
APPLE APPLE-SA-2008-05-28
BID 26838
CERT TA08-150A
CVE CVE-2007-5000
OSVDB 39134
OVAL OVAL9539
REDHAT RHSA-2008:0004
REDHAT RHSA-2008:0005
REDHAT RHSA-2008:0006
REDHAT RHSA-2008:0007
REDHAT RHSA-2008:0008
REDHAT RHSA-2008:0009
REDHAT RHSA-2008:0261
SECUNIA 28046
SECUNIA 28073
SECUNIA 28081
SECUNIA 28196
SECUNIA 28375
SECUNIA 28467
SECUNIA 28471
SECUNIA 28525
SECUNIA 28526
SECUNIA 28607
SECUNIA 28749
SECUNIA 28750
SECUNIA 28922
SECUNIA 28977
SECUNIA 29420
SECUNIA 29640
SECUNIA 29806
Page 43
Audit Report
Source Reference
SECUNIA 29988
SECUNIA 30356
SECUNIA 30430
SECUNIA 30732
SECUNIA 31142
SUSE SUSE-SA:2008:021
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.29. Apache httpd mod_proxy_ftp globbing XSS (CVE-2008-2939) (apache-httpd-2_2_x-mod_proxy_ftp-
globbing-xss-cve-2008-2939)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server
configuration for validation.
A flaw was found in the handling of wildcards in the path of a FTP URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support
FTP-over-HTTP, requests containing globbing characters could lead to cross-site scripting (XSS) attacks.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-05-12
BID 30560
CERT TA09-133A
CERT-VN 663763
Page 44
Audit Report
Source Reference
CVE CVE-2008-2939
OVAL OVAL11316
OVAL OVAL7716
REDHAT RHSA-2008:0966
REDHAT RHSA-2008:0967
SECUNIA 31384
SECUNIA 31673
SECUNIA 32685
SECUNIA 32838
SECUNIA 33156
SECUNIA 33797
SECUNIA 34219
SECUNIA 35074
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modproxyftp-xss(44223)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.10.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.30. Apache httpd mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) (apache-httpd-2_2_x-mod_proxy_ftp-utf-7-xss-
cve-2008-0005)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server
configuration for validation.
A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a
cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules
in RFC 2616.
Affected Nodes:
Affected Nodes: Additional Information:
Page 45
Audit Report
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-03-18
BID 27234
CVE CVE-2008-0005
OVAL OVAL10812
REDHAT RHSA-2008:0004
REDHAT RHSA-2008:0005
REDHAT RHSA-2008:0006
REDHAT RHSA-2008:0007
REDHAT RHSA-2008:0008
REDHAT RHSA-2008:0009
SECUNIA 28467
SECUNIA 28471
SECUNIA 28526
SECUNIA 28607
SECUNIA 28749
SECUNIA 28977
SECUNIA 29348
SECUNIA 29420
SECUNIA 29640
SECUNIA 30732
SECUNIA 35650
SUSE SUSE-SA:2008:021
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modproxyftp-utf7-xss(39615)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
Page 46
Audit Report
3.2.31. Apache httpd mod_status XSS (CVE-2007-6388) (apache-httpd-2_2_x-mod_status-xss-cve-2007-6388)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_status. Review your Web server
configuration for validation.
A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this
publicly available.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-03-18
APPLE APPLE-SA-2008-05-28
BID 27237
CERT TA08-150A
CVE CVE-2007-6388
OVAL OVAL10272
REDHAT RHSA-2008:0004
REDHAT RHSA-2008:0005
REDHAT RHSA-2008:0006
REDHAT RHSA-2008:0007
REDHAT RHSA-2008:0008
REDHAT RHSA-2008:0009
REDHAT RHSA-2008:0261
SECUNIA 28467
SECUNIA 28471
SECUNIA 28526
SECUNIA 28607
Page 47
Audit Report
Source Reference
SECUNIA 28749
SECUNIA 28922
SECUNIA 28965
SECUNIA 28977
SECUNIA 29420
SECUNIA 29504
SECUNIA 29640
SECUNIA 29806
SECUNIA 29988
SECUNIA 30356
SECUNIA 30430
SECUNIA 30732
SECUNIA 31142
SECUNIA 33200
SUSE SUSE-SA:2008:021
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-status-page-xss(39472)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.32. Apache httpd apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE-2011-0419) (apache-httpd-cve-
2011-0419)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_autoindex. Review your Web server
configuration for validation.
A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed
by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would
cause excessive CPU usage. This could be used in a denial of service attack.Acknowledgements: This issue was reported by
Maksymilian Arciemowicz
•
•
Page 48
Audit Report
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2011-10-12
CVE CVE-2011-0419
DEBIAN DSA-2237
REDHAT RHSA-2011:0507
REDHAT RHSA-2011:0896
REDHAT RHSA-2011:0897
SECUNIA 44490
SECUNIA 44564
SECUNIA 44574
URL http://httpd.apache.org/security/vulnerabilities_20.html
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:
Apache >= 2.0 and < 2.1
Upgrade to Apache version 2.0.65
Download and apply the upgrade from: http://httpd.apache.org/download.cgi
Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for
more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built
packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they
are available for your operating system.
Apache >= 2.2 and < 2.3
Upgrade to Apache version 2.2.19
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.19.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.33. Apache httpd APR-util heap underwrite (CVE-2009-0023) (http-apache-apr-util-heap-underwrite)
Description:
Page 49
Audit Report
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can provide a specially crafted search keyword to a
function that handles compiled forms of search patterns. Review your Web server configuration for validation.
A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular
search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations
when processed by the pattern preparation engine.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 35221
CVE CVE-2009-0023
DEBIAN DSA-1812
OVAL OVAL10968
OVAL OVAL12321
REDHAT RHSA-2009:1107
REDHAT RHSA-2009:1108
SECUNIA 34724
SECUNIA 35284
SECUNIA 35360
SECUNIA 35395
SECUNIA 35444
SECUNIA 35487
SECUNIA 35565
SECUNIA 35710
SECUNIA 35797
SECUNIA 35843
SECUNIA 37221
URL http://httpd.apache.org/security/vulnerabilities_22.html
•
Page 50
Audit Report
Source Reference
XF apache-aprstrmatchprecompile-dos(50964)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.34. Apache ETag Inode Information Leakage (http-apache-etag-inode-leak)
Description:
Certain versions of Apache use the requested file's inode number to construct the 'ETag' response header. While not a vulnerability in
and of itself, this information makes certain NFS attacks much simpler to execute.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
http://174.143.96.250/index.html
1: "1f20e9d-14c-48dd25a7358c0"
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
https://174.143.96.250/
1: "1e38016-ee7-46b9dad472100"
References:
Source Reference
BID 6939
BID 6943
CVE CVE-2003-1418
XF apache-mime-information-disclosure(11438)
Vulnerability Solution:
Disable inode-based ETag generation in the Apache config
You can remove inode information from the ETag header by adding the following directive to your Apache config:
FileETag MTime Size
•
Page 51
Audit Report
OpenBSD
Apply OpenBSD 3.2 errata #8 for Apache inode and pid leak
Download and apply the patch from: http://www.openbsd.org/errata32.html#httpd
The OpenBSD team has released a patch for the Apache inode and pid leak problem. This patch can be applied cleanly to 3.2 stable
and rebuilt. Restart httpd for the changes to take effect. OpenBSD 3.3 will ship with the patched httpd by default. The patch can be
applied to earlier 3.x versions of OpenBSD, but it may require editing of the source code.
3.2.35. Apache httpd mod_proxy_balancer CSRF (CVE-2007-6420) (http-apache-mod_proxy_balancer-csrf)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web
server configuration for validation.
The mod_proxy_balancer provided an administrative interface that could be vulnerable to cross-site request forgery (CSRF) attacks.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-10-09
BID 27236
BID 31681
CVE CVE-2007-6420
OVAL OVAL8371
REDHAT RHSA-2008:0966
SECUNIA 31026
SECUNIA 32222
SECUNIA 33797
SECUNIA 34219
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.9.tar.gz
Page 52
Audit Report
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.36. Apache httpd mod_proxy_balancer DoS (CVE-2007-6422) (http-apache-mod_proxy_balancer-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web
server configuration for validation.
A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send
a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of
service if using a threaded Multi-Processing Module.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
BID 27236
CVE CVE-2007-6422
OVAL OVAL10181
OVAL OVAL8690
REDHAT RHSA-2008:0008
REDHAT RHSA-2008:0009
SECUNIA 28526
SECUNIA 28749
SECUNIA 28977
SECUNIA 29348
SECUNIA 29640
SUSE SUSE-SA:2008:021
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modproxybalancer-dos(39476)
Page 53
Audit Report
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.37. Apache httpd mod_proxy_balancer XSS (CVE-2007-6421) (http-apache-mod_proxy_balancer-xss)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web
server configuration for validation.
A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack
against an authorized user is possible.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2008-03-18
BID 27236
CVE CVE-2007-6421
OVAL OVAL10664
OVAL OVAL8651
REDHAT RHSA-2008:0008
REDHAT RHSA-2008:0009
SECUNIA 28526
SECUNIA 28749
SECUNIA 28977
SECUNIA 29420
SECUNIA 29640
SUSE SUSE-SA:2008:021
Page 54
Audit Report
Source Reference
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modproxybalancer-xss(39474)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.38. Apache httpd mod_status cross-site scripting (CVE-2006-5752) (http-apache-mod_status-xss)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_status. Review your Web server
configuration for validation.
The affected asset is vulnerable to this Apache vulnerability ONLY if the server-status page is publicly accessible and ExtendedStatus
is enabled. Review your Web server configuration for validation.
A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is
enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice
to not make this publicly available.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
BID 24645
CVE CVE-2006-5752
OVAL OVAL10154
REDHAT RHSA-2007:0532
REDHAT RHSA-2007:0533
REDHAT RHSA-2007:0534
REDHAT RHSA-2007:0556
Page 55
Audit Report
Source Reference
REDHAT RHSA-2007:0557
REDHAT RHSA-2008:0261
SECUNIA 25827
SECUNIA 25830
SECUNIA 25873
SECUNIA 25920
SECUNIA 26273
SECUNIA 26443
SECUNIA 26458
SECUNIA 26508
SECUNIA 26822
SECUNIA 26842
SECUNIA 26993
SECUNIA 27037
SECUNIA 27563
SECUNIA 27732
SECUNIA 28212
SECUNIA 28224
SECUNIA 28606
SUSE SUSE-SA:2007:061
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-modstatus-xss(35097)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.39. Apache httpd Subrequest handling of request headers (mod_headers) (CVE-2010-0434) (http-apache-
request-header-info-disclosure)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_headers. Review your Web server
configuration for validation.
Page 56
Audit Report
A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest,
instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as
mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying
the parent request, which might not be intended, and second by leaving pointers to modified header fields in memory allocated to the
subrequest scope, which could be freed before the main request processing was finished, resulting in a segfault or in revealing data
from another request on threaded servers, such as the worker or winnt MPMs.Acknowledgements: We would like to thank Philip Pickett
of VMware for reporting and proposing a fix for this issue.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2010-11-10
BID 38494
CVE CVE-2010-0434
DEBIAN DSA-2035
OVAL OVAL10358
OVAL OVAL8695
REDHAT RHSA-2010:0168
REDHAT RHSA-2010:0175
SECUNIA 39100
SECUNIA 39115
SECUNIA 39501
SECUNIA 39628
SECUNIA 39632
SECUNIA 39656
SECUNIA 40096
URL http://httpd.apache.org/security/vulnerabilities_22.html
XF apache-http-rh-info-disclosure(56625)
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.gz
•
•
Page 57
Audit Report
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.2.40. MySQL Bug #44798: Stored Procedures Server Crash (mysql-bug-44798-stored-procedures-server-crash)
Description:
Versions of MySQL server 5.0 before 5.0.84 and 5.1 before 5.1.36 suffer from a privilege interpretation flaw that causes a server crash.
A user created with the privileges to create stored procedures but not execute them will trigger this issue.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
URL http://bugs.mysql.com/bug.php?id=44798
Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.84
Upgrade to MySQL v5.0.84
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
MySQL (?:^5.1.)
Upgrade to MySQL v5.1.36
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.2.41. PHP Fixed NULL pointer dereference in ZipArchive::getArchiveComment (php-fixed-null-pointer-
dereference-in-ziparchivegetarchivecomment)
Description:
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers
to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.
•
•
Page 58
Audit Report
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
References:
Source Reference
APPLE APPLE-SA-2011-03-21
BID 44718
CVE CVE-2010-3709
REDHAT RHSA-2011:0195
SECUNIA 42729
SECUNIA 42812
Vulnerability Solution:
Upgrade to PHP v5.3.4
Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.4.tar.gz
Upgrade to PHP v5.3.4.
Upgrade to PHP v5.2.15
Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.15.tar.gz
Upgrade to PHP v5.2.15.
3.2.42. Self-signed TLS/SSL certificate (ssl-self-signed-certificate)
Description:
The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-
in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:25 TLS/SSL certificate is self-signed.
174.143.96.250:443 TLS/SSL certificate is self-signed.
174.143.96.250:587 TLS/SSL certificate is self-signed.
References:None
Page 59
Audit Report
Vulnerability Solution: Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new
certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request
as a file. This file is then sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate
Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority, such as Thawte or Verisign.
3.3. Moderate Vulnerabilities
3.3.1. Apache httpd mod_proxy_ftp DoS (CVE-2009-3094) (http-apache-mod_proxy_ftp-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server
configuration for validation.
A NULL pointer dereference flaw was found in the mod_proxy_ftp module. A malicious FTP server to which requests are being proxied
could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial
of service.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source Reference
CVE CVE-2009-3094
DEBIAN DSA-1934
OVAL OVAL10981
OVAL OVAL8087
SECUNIA 36549
SECUNIA 37152
SUSE SUSE-SA:2009:050
URL http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:Apache >= 2.2 and < 2.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.14.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
Page 60
Audit Report
operating system.
3.3.2. MySQL HTML Output Script Insertion Vulnerability (mysql-html-output-script-insertion)
Description:
A cross-site scripting (XSS) vulnerability exists in the command-line client when the "--html" option is enabled. This could allow
attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by the client when composing
an HTML document.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source Reference
APPLE APPLE-SA-2010-03-29
BID 31486
CVE CVE-2008-4456
DEBIAN DSA-1783
OVAL OVAL11456
REDHAT RHSA-2010:0110
SECUNIA 32072
SECUNIA 34907
SECUNIA 38517
URL http://bugs.mysql.com/bug.php?id=27884
URL http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability
XF mysql-commandline-xss(45590)
Vulnerability Solution:MySQL (?:^5.1.)
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.3.3. OpenSSH CBC Mode Information Disclosure Vulnerability (ssh-openssh-cbc-mode-info-disclosure)
Page 61
Audit Report
Description:
Certain versions of OpenSSH ship with a flawed implementation of the block cipher algorithm in the Cipher Block Chaining (CBC)
mode. This could allow a remote attacker to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via
unknown vectors.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:22 Running vulnerable SSH service: OpenSSH 4.3.
References:
Source Reference
APPLE APPLE-SA-2009-11-09
BID 32319
CERT-VN 958563
CVE CVE-2008-5161
OSVDB 49872
OSVDB 50035
OSVDB 50036
OVAL OVAL11279
SECUNIA 32740
SECUNIA 32760
SECUNIA 32833
SECUNIA 33121
SECUNIA 33308
SECUNIA 34857
URL http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
URL http://www.openssh.com/txt/cbc.adv
XF openssh-sshtectia-cbc-info-disclosure(46620)
Vulnerability Solution:Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz
Version 5.2 of OpenSSH was released on February 22nd, 2009.
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
Page 62
Audit Report
3.3.4. Database Open Access (database-open-access)
Description:
The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because
databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a
violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure
authentication mechanisms.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:3306 Running vulnerable MySQL service.
References:
Source Reference
URL https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
Vulnerability Solution: Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the
database in an internal network zone, segregated from the DMZ
3.3.5. TCP timestamp response (generic-tcp-timestamp)
Description:
The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's
uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their
TCP timestamps.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250 Apparent system boot time: Fri Nov 18 18:17:26 COT 2011
References:
Source Reference
URL http://www.forensicswiki.org/wiki/TCP_timestamps
URL http://www.ietf.org/rfc/rfc1323.txt
URL http://uptime.netcraft.com
•
•
•
•
Page 63
Audit Report
Vulnerability Solution:
Cisco
Disable TCP timestamp responses on Cisco
Run the following command to disable TCP timestamps:
no ip tcp timestamp
FreeBSD
Disable TCP timestamp responses on FreeBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.inet.tcp.rfc1323=0
Linux
Disable TCP timestamp responses on Linux
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.ipv4.tcp_timestamps=0
OpenBSD
Disable TCP timestamp responses on OpenBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.inet.tcp.rfc1323=0
•
•
•
•
•
Page 64
Audit Report
Microsoft Windows
Disable TCP timestamp responses on Windows
Set the Tcp1323Opts value in the following key to 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
3.3.6. WebDAV Extensions are Enabled (http-generic-webdav-enabled)
Description:
WebDAV is a set of extensions to the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers.
Many web servers enable WebDAV extensions by default, even when they are not needed. Because of its added complexity, it is
considered good practice to disable WebDAV if it is not currently in use.
Affected Nodes:
Affected Nodes: Additional Information:
174.143.96.250:80 Running vulnerable HTTP service: Apache 2.2.3.
174.143.96.250:443 Running vulnerable HTTPS service: Apache 2.2.3.
References:None
Vulnerability Solution:
IIS, PWS, Microsoft-IIS, Internet Information Services, Internet Information Services, Microsoft-PWS
Disable WebDAV for IIS
For Microsoft IIS, follow Microsoft's instructions to disable WebDAV for the entire server.
Apache
Disable WebDAV for Apache
Make sure the mod_dav module is disabled, or ensure that authentication is required on directories where DAV is required.
Apache Tomcat, Tomcat, Tomcat Web Server
Disable WebDAV for Apache Tomcat
Disable the WebDAV Servlet for all web applications found on the web server. This can be done by removing the servlet definition for
WebDAV (the org.apache.catalina.servlets.WebdavServlet class) and remove all servlet mappings referring to the WebDAV servlet.
Java System Web Server, iPlanet, SunONE WebServer, Sun-ONE-Web-Server
Disable WebDAV for iPlanet/Sun ONE
Disable WebDAV on the web server. This can be done by disabling WebDAV for the server instance and for all virtual servers.
Page 65
Audit Report
To disable WebDAV for the server instance, enter the Server Manager and uncheck the "Enable WebDAV Globally" checkbox then
click the "OK" button.
To disable WebDAV for each virtual server, enter the Class Manager and uncheck the "Enable WebDAV Globally" checkbox next to
each server instance then click the "OK" button.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Page 66
Audit Report
4. Discovered Services
4.1. HTTP HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files
commonly used with HTTP include text, sound, images and video.
4.1.1. General Security Issues
Simple authentication scheme Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to
encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be
stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL)
connections to transmit the authentication data.
4.1.2. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
174.143.96.250 tcp 80 8 Apache 2.2.3
PHP: 5.2.14
WebDAV:
http.banner: Apache/2.2.3 (Red Hat)
http.banner.server: Apache/2.2.3 (Red Hat)
http.banner.x-powered-by: PHP/5.2.14
4.2. HTTPS HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange multimedia content on the World Wide Web using
encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard HTTP protocol is used. The multimedia
files commonly used with HTTP include text, sound, images and video.
4.2.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
174.143.96.250 tcp 443 8 Apache 2.2.3
WebDAV:
http.banner: Apache/2.2.3 (Red Hat)
http.banner.server: Apache/2.2.3 (Red Hat)
ssl: true
ssl.cert.issuer.dn: [email protected],
CN=plesk, OU=Plesk, O=Parallels, L=Herndon,
ST=Virginia, C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Page 67
Audit Report
Device Protocol Port Vulnerabilities Additional Information
ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT
ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT
ssl.cert.selfsigned: true
ssl.cert.serial.number: 1243874497
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn: [email protected],
CN=plesk, OU=Plesk, O=Parallels, L=Herndon,
ST=Virginia, C=US
ssl.cert.validsignature: true
ssl.version.ssl20: true
verbs-1: GET
verbs-2: HEAD
verbs-3: OPTIONS
verbs-4: POST
verbs-count: 4
4.3. MySQL
4.3.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
174.143.96.250 tcp 3306 8 MySQL 5.0.77
logging: disabled
protocolVersion: 10
4.4. SMTP SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail messages between hosts. Clients typically
submit outgoing e-mail to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final
destination.
4.4.1. General Security Issues
Installed by default By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP server to handle mail for the local host (e.g.
the output of some cron jobs is sent to the root account via email). Check your workstations to see if sendmail is running, by telnetting
to port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying 192.168.0.1... Connected to mybox.
Escape character is '^]'. 220 mybox. ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT) If sendmail is running and
you don't need it, then disable it via /etc/rc.conf or your operating system's equivalent startup configuration file. If you do need SMTP for
the localhost, make sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable by other hosts. Also
be sure to check port 587/tcp, which some versions of sendmail use for outgoing mail submissions.
Promiscuous relay
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Page 68
Audit Report
Perhaps the most common security issue with SMTP servers is servers which act as a "promiscuous relay", or "open relay". This
describes servers which accept and relay mail from anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers)
to use your mail server to send their spam to unwitting recipients. Promiscuous relay checks are performed on all discovered SMTP
servers. See "smtp-general-openrelay" for more information on this vulnerability and how to fix it.
4.4.2. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
174.143.96.250 tcp 25 2 Unknown
advertise-esmtp: 1
advertised-esmtp-extension-count: 5
advertises-esmtp: TRUE
smtp.banner: 220 228605-web1.www.tabascohoy.com
ESMTP
ssl.cert.issuer.dn: [email protected],
CN=plesk, OU=Plesk, O=Parallels, L=Herndon,
ST=Virginia, C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT
ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT
ssl.cert.selfsigned: true
ssl.cert.serial.number: 1243874497
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn: [email protected],
CN=plesk, OU=Plesk, O=Parallels, L=Herndon,
ST=Virginia, C=US
ssl.cert.validsignature: true
supported-auth-method-count: 3
supported-auth-method:1: LOGIN
supported-auth-method:2: CRAM-MD5
supported-auth-method:3: PLAIN
supports-8bitmime: TRUE
supports-auth: TRUE
supports-auth=login: TRUE
supports-debug: FALSE
supports-expand: FALSE
supports-pipelining: TRUE
supports-starttls: TRUE
supports-turn: FALSE
supports-verify: FALSE
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Page 69
Audit Report
Device Protocol Port Vulnerabilities Additional Information
174.143.96.250 tcp 587 2 Unknown
advertise-esmtp: 1
advertised-esmtp-extension-count: 5
advertises-esmtp: TRUE
smtp.banner: 220 228605-web1.www.tabascohoy.com
ESMTP
ssl.cert.issuer.dn: [email protected],
CN=plesk, OU=Plesk, O=Parallels, L=Herndon,
ST=Virginia, C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT
ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT
ssl.cert.selfsigned: true
ssl.cert.serial.number: 1243874497
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn: [email protected],
CN=plesk, OU=Plesk, O=Parallels, L=Herndon,
ST=Virginia, C=US
ssl.cert.validsignature: true
supported-auth-method-count: 3
supported-auth-method:1: LOGIN
supported-auth-method:2: CRAM-MD5
supported-auth-method:3: PLAIN
supports-8bitmime: TRUE
supports-auth: TRUE
supports-auth=login: TRUE
supports-debug: FALSE
supports-expand: FALSE
supports-pipelining: TRUE
supports-starttls: TRUE
supports-turn: FALSE
supports-verify: FALSE
4.5. SSH SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol. It primarily adds encryption and data integrity to
Telnet, but can also provide superior authentication mechanisms such as public key authentication.
4.5.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
•
•
•
•
Page 70
Audit Report
Device Protocol Port Vulnerabilities Additional Information
174.143.96.250 tcp 22 3 OpenSSH 4.3
ssh.banner: SSH-2.0-OpenSSH_4.3
ssh.protocol.version: 2.0
ssh.rsa.pubkey.fingerprint:
68155186A79E9D58FA0BA9D1B132D88F
Page 71
Audit Report
5. Discovered Users and GroupsNo user or group information was discovered during the scan.
Page 72
Audit Report
6. Discovered DatabasesNo database information was discovered during the scan.
Page 73
Audit Report
7. Discovered Files and DirectoriesNo file or directory information was discovered during the scan.
Page 74
Audit Report
8. Policy EvaluationsNo policy evaluations were performed.
Page 75
Audit Report
9. Spidered Web SitesNo web sites were spidered during the scan.